Graco Inc. (“Graco”) and its affiliates and subsidiaries (together “we”, “our”, or “us”) is committed to protecting your privacy. This notice describes the categories of Personal Data we process in connection with your use of any of the websites available at www.graco.com (“Websites”) and the services, features or content we offer (“Services”), the purposes for which Personal Data is collected, the parties with whom we share it and the security measures we take to protect your data. It also informs you about your rights and choices with respect to your Personal Data, and how you can contact us to inquire about our data protection practices. Please read this notice carefully. In the event you disagree with any provision in this notice, please do not use Websites or provide any Personal Data. This notice may change from time to time, for more information about notice amendments see Section XIII below.

is responsible for the processing of your Personal Data as the data controller. You can contact us by phone at +1 (612) 623-6000 or alternatively at the following mailing address:

Graco Inc.
P.O. Box 1441
Minneapolis, MN 55440-1441
USA

III. PERSONAL DATA WE COLLECT ABOUT YOU AND HOW WE COLLECT IT

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

When visiting our Websites you have the option to provide us with Personal Data relating to you. Additionally, when you use our Services we automatically collect certain information about you and your internet usage. The specific categories of Personal Data concerned and the sources from which we obtain them are linked to the way you interact with our Websites and Services. More information about the categories of Personal Data and the ways in which we collect it are described below.

(1) Personal Data You Give to Us. Our Websites offer you the possibility of (i) contacting us via an online request form; (ii) signing up to receive e-mail alerts; and (iii) register for a Customer Information System (“CIS”) or a Graco External Distributor Interface (“GEDI”) account. The Personal Data thereby collected includes:

If you are a Graco distributor:

Contact information about you such as your first and last name, email address, your phone and fax number, your zip/postal code, your state and country of residence;

Professional information related to you and to those of your employees with access to the CIS and/or GEDI account consisting of your company name, first and last name, (function) title, email address, the company’s general manager’s name, the company’s website, the company’s address, the shipping address and your Graco account number;

Your and your employee’s CIS and/or GEDI passwords; and

Contract information (provided the contract party is the end consumer) such as bank account information, creditworthiness, terms of payment and financing.

The obligatory fields are marked are such on the interface. The use of and the interaction with our Websites or Services is subject to the provision of this information.

If you are a general user:

Contact information such as your first and last name, email address, your phone number, your zip/postal code, your city, state and country of residence; and

Professional information such as your company name.

(2) Personal Data We Automatically Collect. As you navigate through our Websites or when you interact with our Services, we use automatic data collection technologies to collect certain Personal Data about your device, browsing activity, and patterns, including:

Log usage data of your visits to our Websites and use of our Services, including technical session and connection information, resources that you access, traffic data, location data, date and time of access and frequency;

Details of referring websites (URL) and web pages you visited prior to ours.

(3) Cookies Used On Our Websites. We use cookies, beacons and similar technologies on our Websites. Cookies are small data files that are stored on a user’s computer for record keeping purposes. We use them in public areas of our Websites, as well as on the CIS and GEDI areas of the Websites.

Our Websites use single-session (temporary) and multi-session (persistent) cookies. Temporary cookies last only as long as your web browser is open, and are used for technical purposes such as enabling better navigation on our Websites. Once you close your browser, the cookie disappears. Persistent cookies are stored on your computer for longer periods and are used for purposes which include tracking the number of unique visitors to our Websites and Personal Data such as the number of views a page gets, how much time a user spends on a page, and other pertinent web statistics. This Personal Data identifies your browser to our servers when you visit the Websites.

Most web browsers are set to accept cookies by default. If users prefer, they can usually choose to set their browsers to remove and reject cookies. In some cases, removing or rejecting cookies may affect certain features or services on our Websites. If you want to disable the use of cookies or remove them from your computer, you can disable or delete them at any time using your browser (consult your browser's "Help" menu to learn how to delete cookies). Below you will find a detailed list of the first-party cookies we use on our Website:

Cookie Name

Purpose

Duration

Type

_ga

Google Analytics. Used to distinguish users.

2 years

First party

_gid

Google Analytics. Used to distinguish users.

24 hours

First party

graco-country, graco-lang, graco-site

Record your preferred country and language setting

1 year

First party

http://www.graco.com/<product link>

Stores the last viewed tab to remember for the user’s next visit

30 days

First party

Tagcloud

Records the number of times a user visits our Websites and
personalizes them to the user’s interests.

1 year

First party

cislogin

Record your language setting.

6 months

First party

_utma

Google Analytics. Used to distinguish users and sessions.

2 years

Third Party

_utmb

Google Analytics. Used to distinguish new sessions/visits.

30 minutes

Third Party

_utmc

Google Analytics. Used to distinguish new sessions/visits.

Expires when
browser session
ends

Third Party

utmz

Google Analytics. Stores the traffic source that explains how
the user reached the Websites.

6 months

Third Party

_atuvc

Records how many times a webpage has been shared via
the AddThis “Share” buttons.

1 year

Third Party

_atuvs

Records how many times a webpage has been shared via
the AddThis “Share” buttons.

Expires when
browser session
ends.

Third Party

_mkto_trk

Tracks visitor behavior to measure campagin effectiveness.
Anonymous tracking until a user identifies himself by submitting a form.

2 years

Third Party

BVBRANDID

Allows internal Bazaarvoice web analytics to be correlated to the same user for interactions within a particular client domain.

1 year

Third Party

BVBRANDSID

Allows internal Bazaarvoice web analytics to be correlated to the same user browsing session for interactions within a particular client domain.

Expires when browser session ends

Third Party

BVID

Allows internal Bazaarvoice web analytics to be correlated to the same user for interactions across the Bazaarvoice network.

365 days of inactivity

Third Party

BVImplredesign_site

Used for client-driven A/B tests.

2 hours

Third Party

BVSID

Allows internal Bazaarvoice web analytics to be correlated to the same user browsing session for interactions across the Bazaarvoice network.

Expires when browser session ends

Third Party

breadcrumb

Used to store a history of pages visited on the current website for easier navigation

Expires when browser session ends

First Party

user_consent

Used to store the visitor's preference (agree or disagree) of enabling tracking cookies. If visitor disagrees then _mkto_trk is disabled

1 year

First Party

(4) Social Media Plugins. When using our Websites we allow you to share information with social media sites and to access our social media profiles through so-called plugins. Social networks are able to retrieve Personal Data through those plugins, even if you don’t interact with them. Moreover, if you are logged onto a social network while visiting our Websites with social plugins imbedded in them, the network can collect and store information about such visit and link it to your social network user account. As we have no control over the data collected by social media networks through their plugins, we encourage you to read their applicable data privacy policies to learn more about them.

Once you choose to share information of our Websites on social media or when you connect with our social media profiles through the plugins, those social media sites allow us to automatically access Personal Data retained by them about you consisting of content viewed by you, content liked by you and information about the advertisements you have been shown or have clicked on. You can restrict our access to your Personal Data by changing your privacy setting on the respective social media site.

Lastly, you can access our Websites via a third-party service, e.g. from our profiles on social networks. In those cases, we collect Personal Data from your social media user account consisting of your first and last name, email address and phone number and any other information you have made public.

IV. HOW WE USE YOUR PERSONAL DATA

We will only process your Personal Data for specific, explicit and legitimate purposes. We will not process your Personal Data for any further purposes than the ones the data was originally intended for, unless the new purpose is compatible with the original one. In the absence of compatibility, the processing of data for further purposes is subject to your prior explicit consent.

We process the Personal Data you provide us with for the purposes listed below:

Communicate with you upon a request to offer information, product support or for the purpose of customer service; and

Send you e-mail alerts to inform you about publications on your investors’ domain.

The Personal Data we collect automatically is statistical data that helps us improve our Websites’ features and functionalities in order to deliver a better and more personalized service, including by enabling us to:

Determine web site traffic patterns;

Count web visits;

Determine traffic sources so we can measure and improve the performance of our site;

Observe site search patterns to provide more intuitive navigation cues;

Determine user frequency and time between user visits; and

Prevent and detect misuse and malfunction of our Websites including troubleshooting.

The processing of all the Personal Data we collect relating to you is either based (i) on your consent; (ii) necessary to provide you with our products and services at your request prior into entering into a contract with you or necessary for the performance of a contract to which you are party; (iii) necessary to comply with a legal obligation; or (iv) based on our legitimate interests in ensuring the functionality of our Websites and Services and that they are tailored to your needs, unless these are overridden by your interests and rights.

V. HOW WE SHARE YOUR PERSONAL DATA

Due to the international scope of our business, your Personal Data can be shared or accessed by Graco-affiliated entities within the company group. You can find more information on data transfers to affiliates based outside of the EU in Section VII. below.

Subject to applicable law and regulations, we share your Personal Data with:

Public authorities, including law enforcement;

Graco distributors;

Service providers acting on our behalf for the purposes listed above in Section V. We require these service providers to only process Personal Data in accordance with our instructions and only as long as necessary to perform the requested services or in compliance with applicable law (e.g., invitation mailing and newsletter distribution providers, website and app administration providers); and

In connection with a merger, joint venture, sale or transfer of all or a portion of our assets or stock, or other similar corporate transactions involving a change of ownership or control.

VI. INTERNATIONAL TRANSFERS OF PERSONAL DATA

International data transfers refer to transfers of Personal Data outside of the European Economic Area (“EEA”). We are a company with operations around the world. Accordingly, our business requires the transfer of Personal Data to and from other group companies or third parties, which may be located outside the EEA, including the United States of America. A list of our worldwide Graco-branded group companies can be obtained here. Our non-Graco-branded subsidiaries include White Knight Fluid Handling, QED Environmental Systems Handling, Gema Powder Coating and its subsidiary SAT S.p.A, as well as Alco Valves Group, and HiP. We will only transfer Personal Data to countries that provide for an adequate data protection standard meeting the requirements as set out by the European Commission. Data transfers to countries not meeting that threshold will only occur in accordance with international data transfer agreements based on EU Standard Contractual Clauses.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield.

If you are located in the EU or Switzerland you may have the possibility to engage in binding arbitration to address residual complaints not resolved by other means. For additional information about the arbitration process, please visit www.privacyshield.gov.

The Federal Trade Commission has jurisdiction over Graco’s compliance with the Privacy Shield.

Graco is a company with operations around the world. Accordingly, personal information received by Graco may be used globally in connection with employment or business operations within Graco. Personal information may be transferred between Graco entities located in North America, South America, Europe, the Middle East, Africa, Asia-Pacific and elsewhere. Personal information may also be transferred to third parties acting as agents and performing tasks on behalf of and under the instructions of Graco. Graco will transfer personal information received from the EU or Switzerland to a third party agent only if Graco first ascertains that the third party agent subscribes to the Principles, is subject to the European Commission’s Directive on Data Protection or another adequacy finding, or agrees in writing to provide at least the same level of privacy protection as is required by the Principles. Graco may remain liable under the Principles if a third party agent it engages processes personal information received from the EU or Switzerland in a manner inconsistent with the Principles, unless Graco proves it is not responsible for the event giving rise to the damage.

VII. DATA RETENTION

As a general rule, we will not retain your Personal Data for longer than is allowed under the applicable data protection laws or for longer that is necessary in relation to the purposes for which it was originally collected or otherwise processed. In the event of inactivity of your CIS or your GEDI account for the duration of a period of 2 years we will delete your Personal Data, unless statutory retention periods apply.

In the absence of statutory retention periods, alternatively after completion of those periods, we will erase your Personal Data. Further, we will erase your Personal Data where one of the following applies: (i) when you withdraw your consent (where lawfulness of processing was based on your consent) and there is no other legal ground for the processing; (ii) when you object to the processing and there are no overriding legitimate grounds for the processing; (iii) when your Personal Data has been unlawfully processed; and (iv) when it is necessary to comply with legal obligations.

VIII. YOUR RIGHTS WITH REGARD TO YOUR PERSONAL DATA

You have certain rights regarding the Personal Data we maintain about you and certain choices about what Personal Data we collect from you, how we use it, and how we communicate with you.

The right to request access to and receive information about the Personal Data we maintain about you.

The right to rectification or erasure of your Personal Data.

The right to restriction of processing of your Personal Data.

The right to data portability in order to transfer your Personal Data easily to another company.

Where Personal Data processing is based on your consent, the right to withdraw your consent at any time. You can tell us not to send you any further marketing emails by clicking on the unsubscribe link within the marketing emails you receive from us or by contacting us as indicated below.

The right to lodge a complaint with a supervisory authority.

The right to object to processing concerning your Personal Data.

You can submit a request to exercise these rights at any time by contacting our DPC at privacy@graco.com, calling either +1 612 379 3654 (US) or +32 (0) 89 770 860 (EU), or mailing

We have implemented appropriate technical and organizational measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. These precautions include the use of physical, electronic and organizational measures. Physical security measures are intended to prevent unauthorized access to database equipment and hard copies of Personal Data. Electronic security measures, such as firewalls, restricted access and/or encryption are intended to monitor access to our servers and protect against hacking and other unauthorized access from remote locations. Organizational security measures are intended to limit access to Personal Data to only those employees and service providers who have a specific purpose for maintaining, using, and processing such information.

X. THIRD-PARTY WEBSITES

Our Websites may contain links or references to other websites outside of our control. Please be aware that this notice does not apply to these websites. We encourage you to read the Data Privacy Policies and terms and conditions of linked or referenced websites you enter. These third-party websites may send their own cookies and other tracking devices to you, log your IP address, and otherwise collect data or solicit Personal Data.

XI. CHILDREN

Our Websites are not intended for children and we have no intention of collecting Personal Data from individuals under eighteen years of age. If a child has provided us with Personal Data, a parent or a guardian of that child may contact us to request to have such information deleted emailing privacy@graco.com, calling either +1 612 379 3654 (US) or +32 (0) 89 770 860 (EU), or mailing

We reserve the right to amend this notice from time to time consistent with applicable data protection laws and regulations. Any changes to this notice will be posted on this page. If we make material changes to how we treat your Personal Data, we will notify you through a notice on the Website home page via a separate banner related to this Data Protection Notice. The date this notice was last revised is identified at the top of the page.

XIII. GRACO IoT DEVICE DATA PROTECTION NOTICES

The following URLs provide Data Protection Notices for relevant Graco products, which may be updated from time to time.